Statement of John S. Tritak
Director, Critical Infrastructure Assurance Office
Bureau of Industry and Security
United States Department of Commerce
BEFORE THE HOUSE COMMITTEE ON GOVERNMENT REFORM'S
SUBCOMMITTEE ON GOVERNMENT EFFICIENCY, FINANCIAL MANAGEMENT
AND INTERGOVERNMENTAL RELATIONS
July 24, 2002
Introduction
Mr. Chairman, members of the Committee, I am honored to appear before you today to discuss cyber terrorism and the nation's critical infrastructure protection activities. I look forward to discussing with you the important role that the Critical Infrastructure Assurance Office (CIAO) plays in this environment.
As you know, the creation of the Department of Homeland Security is the most sweeping reorganization of our national security establishment in over 50 years. However, this decision was made on the basis of careful study and experience gained since September 11. The Administration considered a number of organizational approaches for the new Department proposed by various commissions, think tanks, and Members of Congress. The Secretary of Commerce, the Under Secretary and I - as well as all other senior management at the Commerce Department - fully support the President's plan and stand ready to undertake necessary efforts to facilitate the creation of the new Department as soon as possible.
The topic of this hearing - cyber security and its role in our nation's overall homeland security strategy - is a subject that I have been involved with intimately for many years. I am the Director of the Critical Infrastructure Assurance Office (CIAO) in the Department of Commerce. In addition, I am a member of the President's Critical Infrastructure Protection Board, and I work closely with Board staff in conducting and coordinating critical infrastructure protection activities. I have spoken to the private sector and to state and local government officials on the topic of critical infrastructure assurance and cyber security on several occasions. Through these activities, I have come to appreciate the need for greater coordination of efforts to protect our homeland security including cyber security.
I would like to take this opportunity to provide some background on the CIAO and to discuss briefly some of the specific activities and initiatives we are currently undertaking on cyber security and homeland security.
What are the Components of the Nation's Critical Infrastructure?
The United States has long depended on a complex of systems critical infrastructures to assure the delivery of vital services. Critical infrastructures comprise those industries, institutions, and distribution networks and systems that provide a continual flow of the goods and services essential to the nation's defense and economic security and to the health, welfare, and safety of its citizens.
These infrastructures are deemed "critical" because their incapacity or destruction could have a
debilitating regional or national impact. These infrastructures relate to:
· Agriculture
· Food
· Water supply
· Public Health
· Emergency Services
· Government Services
· Defense Industrial Base
· Information and Telecommunications
· Energy
· Banking and finance
· Transportation
· Chemical Industry
· Postal and Shipping
Critical infrastructure assurance is concerned with the readiness, reliability, and continuity of infrastructure services (which rely on physical and cyber based assets) so that they are less vulnerable to disruptions, so that any impairment is of short duration and limited in scale, and that services are readily restored when disruptions occur.
To complicate matters further, each of the critical infrastructure sectors is becoming increasingly interdependent and interconnected. Disruptions in one sector are increasingly likely to affect adversely the operations of others. We are witnesses to that phenomenon now. The cascading fallout from the tragic events of September 11th graphically makes the business case for critical infrastructure protection. That the loss of telecommunications services can impede financial service transactions and delivery of electric power is no longer an exercise scenario. There can be no e-commerce without "e" electricity. There can be no e-commerce without e-communications.
Our society, economy, and government are increasingly linked together into an ever-expanding national
digital nervous system. Disruptions to that system, however and wherever they arise, can cascade well
beyond the vicinity of the initial occurrence and can cause regional and, potentially, national
disturbances.
Primary Threats to Critical Infrastructure Components
Threats to critical infrastructure fall into two overlapping categories:
· Physical attacks against the "real property" components of the infrastructures; and
· Cyber attacks against the information or communications components that control these
infrastructures.
Assuring delivery of critical infrastructure services is not a new requirement. Indeed, the need for owners and operators to manage the risks arising from service disruptions has existed for as long as there have been critical infrastructures.
What is new are the operational challenges to assured service delivery arising from an increased dependence on information systems and networks to operate critical infrastructures. This dependence exposes the infrastructures to new vulnerabilities.
The cyber tools needed to cause significant disruption to infrastructure operations are readily available. Within the last three years alone there has been a dramatic expansion of accessibility to the tools and techniques that can cause harm to critical infrastructures by electronic means.
One does not have to be a "cyber terrorist" or an "information warrior" to obtain and use these new weapons of mass disruption. Those who can use these tools and techniques range from the recreational hacker to the terrorist to the nation state intent on obtaining strategic advantage. From the perspective of individual enterprises, the consequences of an attack can be the same, regardless of who the attacker is. Disruptions to the delivery of vital services resulting from attacks on critical infrastructures thus pose an unprecedented risk to national and economic security. What if the recent computer viruses Code Red and Nimda had hostile payloads in them and did more than just threaten the stability, reliability and dependability of the Internet?
Securing the nation's critical infrastructures against cyber attacks presents yet another difficult problem. The Federal government cannot post soldiers or police officers at the perimeters of telecommunications facilities or electric power plants to keep out digital attackers. There are no boundaries or borders in cyberspace.
Background on the Critical Infrastructure Assurance Office
The CIAO is not a new arrival to the homeland security effort: we have been working to realize the
objective of critical infrastructure assurance for four years. The CIAO was created in May
1998 by presidential directive to serve as an interagency office located at the Department of Commerce
to coordinate the Federal Government's initiatives on critical infrastructure assurance.
On October 16, 2001,President Bush signed Executive Order 13231 (the Order), entitled "Critical Infrastructure Protection in the Information Age." Under the Order, the CIAO was designated a member of and an advisor to the newly created President's Critical Infrastructure Protection Board (the Board). The Board was created to coordinate Federal efforts and programs relating to the protection of information systems and networks essential to the operation of the nation's critical infrastructures. In carrying out its responsibilities, the Board fully coordinates its efforts and programs with the Assistant to the President for Homeland Security.
Major CIAO Activities and Initiatives
CIAO's responsibilities for developing and coordinating national critical infrastructure policy focus on three key areas: (A) promoting national outreach and awareness campaigns both in the private sector and at the state and local government level; (B) assisting Federal agencies to analyze their own risk exposure and critical infrastructure dependencies; and (C) coordinating the preparation of an integrated national strategy for critical infrastructure assurance.
A. Outreach and Awareness
The Federal government acting alone cannot hope to secure our nation's critical infrastructures. The national policy of infrastructure assurance can only be achieved by a voluntary public-private partnership of unprecedented scope involving business and government at the Federal, State, and local levels. Forging a broad based partnership between industry and government lies at the heart of the CIAO's mission.
Private Sector Partnerships: CIAO has developed and implemented a nation-wide industry outreach program targeting senior corporate leadership responsible for setting company policy and allocating company resources. The challenge of such an effort is to present a compelling business case for corporate action. The primary focus of the CIAO's efforts continues to be on the critical infrastructure industries (i.e., agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, banking and finance, postal and shipping, energy, chemical industry, and transportation). The basic thrust of these efforts is to communicate the message that critical infrastructure assurance is a matter of corporate governance and risk management. Senior management is responsible for securing corporate assets - including information and information systems. Corporate boards are accountable, as part of their fiduciary duty, to provide effective oversight of the development and implementation of appropriate infrastructure security policies and best practices.
In addition to infrastructure owners and operators, the CIAO's awareness and outreach efforts also
target other influential stakeholders in the economy. The risk management community - including the
audit and insurance professions - is particularly effective in raising matters of corporate governance and
accountability with boards and senior management. In addition, the investment community is
increasingly interested in how information security practices affect shareholder value - a concern of vital
interest to corporate boards and management.
In partnership with these communities, the CIAO has worked to translate potential threats to critical infrastructure into business case models that corporate boards and senior management can understand. More corporate leaders are beginning to understand that tools capable of disrupting their operations are readily available not merely to terrorists and hostile nation states but to a wide-range of potential "bad actors." As a consequence, more of them understand that that the risks to their companies can and will affect operational survivability, shareholder value, customer relations, and public confidence.
The CIAO has also worked actively to facilitate greater communication among the private infrastructure sectors themselves. As individual Federal lead agencies formed partnerships with their respective critical infrastructure sectors, private industry representatives quickly identified a need for cross-industry dialogue and sharing of experience to improve the effectiveness and efficiency of individual sector assurance efforts. In response to that expressed need, the CIAO assisted its private sector partners in establishing the Partnership for Critical Infrastructure Security (PCIS). The PCIS provides a unique forum for government and private sector owners and operators of critical infrastructures to address issues of mutual interest and concern. It builds upon, without duplicating, the public-private efforts already being undertaken by the Federal Lead Agencies.
State and Local Government Partnerships: The CIAO has developed an outreach and awareness program for state and local governments to complement and support its outreach program to industry. State and local governments provide critical services that make them a critical infrastructure in themselves. They also play an important role as catalyst for public-private partnerships at the community level, particularly for emergency response planning and crisis management. The issue of securing the underlying information networks that support their critical services was a relatively new issue before September 11. State and local governments tend to be well organized as a sector, with multiple common interest groups.
Similar to its program for industry, the CIAO has laid out a plan to implement outreach partnerships with respected and credible channels within state and local government. CIAO has also met with the National Governors Association and the National Association of State Chief Information Officers to encourage input into the National Strategy for Cyberspace Security.
The front lines for the new types of threats facing our country, both physical and cyber, clearly are in our communities and in our individual institutions. Smaller communities and stakeholders have far fewer resources to collect information and analyze appropriate actions to take. Consequently, in February of this year, the CIAO began a series of four state conferences on Critical Infrastructures: Working Together in a New World, designed to collect lessons learned and applied from the events of September 11 from New York, Arlington, and communities across the United States. The intent of this conference series is to deliver a compendium of community best practices at the end of the first quarter of 2003. The first conference was held in Texas and the second in New Jersey. The last two will be held in the latter part of 2002 and the first quarter of 2003.
B. Support for Federal Government Infrastructure Activities
Homeland Security Information Integration Program: The Administration is proposing in the President's Fiscal Year 2003 budget request to establish an Information Integration Program Office (IIPO) within the CIAO to improve the coordination of information sharing essential to combating terrorism nationwide. The most important function of this office will be to design and help implement an interagency information architecture that will support efforts to find, track, and respond to terrorist threats within the United States and around the world, in a way that improves both the time of response and the quality of decisions. Together with the lead federal agencies, and guided strategically by the Office of Homeland Security, the IIPO will: (a) create an essential information inventory; (b) determine horizontal and vertical sharing requirements; (c) define a target architecture for information sharing; and (d) determine the personnel, software, hardware, and technical resources needed to implement the architecture. The foundation projects will produce roadmaps (migration strategies) that will be used by the agencies to move to the desired state.
Federal Asset Dependency Analysis - Project Matrix: The CIAO also is responsible for assisting civilian Federal departments and agencies in analyzing their dependencies on critical infrastructures to assure that the Federal government continues to be able to deliver services essential to the nation's security, economy, or the health and safety of its citizens, notwithstanding deliberate attempts by a variety of threats to disrupt such services through cyber or physical attacks.
To carry out this mission, the CIAO developed "Project Matrix," a program designed to identify and characterize accurately the assets and associated infrastructure dependencies and interdependencies that the U.S. Government requires to fulfill its most critical responsibilities to the nation. These are deemed "critical" because their incapacitation could jeopardize the nation's security, seriously disrupt the functioning of the national economy, or adversely affect the health or safety of large segments of the American public. Project Matrix involves a three-step process in which each civilian Federal department and agency identifies (i) its critical assets; (ii) other Federal government assets, systems, and networks on which those critical assets depend to operate; and (iii) all associated dependencies on privately owned and operated critical infrastructures.
Early experience with the CIAO's Project Matrix process has demonstrated such significant utility that the Office of Management and Budget has recently issued a directive requiring all Federal civilian agencies under its authority to fund and perform the analysis.
C. Integrated National Strategy for Critical Infrastructure Assurance
Finally, the CIAO also plays a major role with respect to the development and drafting of the two national strategies relating to critical infrastructure protection - the National Strategy for Cyber Space Security and the National Strategy for Homeland Security. Specifically, the CIAO coordinates and facilitates input from private industry, as well as state and local government, to the national strategies. The Office of Homeland Security has enlisted the CIAO to provide coordination and support for its efforts to compile information and private sector input to its strategy to protect the physical facilities of critical infrastructure systems. The CIAO, working with its private sector partners, also has been instrumental in coordinating input from the private sector to the cyber space security strategy.
Conclusion
The American economy is the most successful in the world. However, in the information age, the same technological capabilities that have enabled us to succeed can now also be turned against us. Powerful computing systems can be hijacked and used to launch attacks that can disrupt operations of critical services that support public safety and daily economic processes.
As the President and Governor Ridge have noted, today no Federal Agency has homeland security as its primary mission. Responsibilities for homeland security are dispersed throughout the Federal Government. The President's plan would combine key operating units that support homeland security so that the operations and activities of these units could be more closely directed and coordinated. This will serve to increase the efficiency and effectiveness of the Federal Government's critical infrastructure assurance and cyber security efforts.
The CIAO looks forward to continuing its role in advancing critical infrastructure protection policy in the new Department of Homeland Security. Thank you for the opportunity to appear before you today. I welcome any questions that you may have.